Classified documents were stolen from high levels of the Indian government by hackers over the course of several months, according to a report released on Monday night by researchers from the University of Toronto.
The researchers, from the Citizen Lab at the Munk Centre for International Studies, traced the botnet (a network of compromised computers) used in the attacks to hackers based in China, but say there isn’t any evidence linking the activity to the Chinese government. Their report reveals how the hackers made sophisticated use of social media sites to control their botnet, making it much harder to trace and shut down.
The compromised documents included confidential assessments of India’s international relations with West Africa and the Middle East, visa applications, and personal information concerning a member of the Directorate General of Military Intelligence. The attackers also broke into systems belonging to academics, journalists, and the offices of the Dalai Lama–they were able to obtain a year’s worth of the Dalai Lama’s e-mail, and academic reports on several Indian missile systems.
Many of the techniques used by the attackers have been employed by other spy networks, including GhostNet, which was revealed by the same researchers last year, and the recent attacks on Google. As before, the attackers stole data by sending malware targeted to specific individuals within an organization. The malware then connected compromised computers to a botnet commanded by the attackers that issued instructions and funneled the stolen data to servers where attackers could access it. “Antivirus systems are not terribly effective against these targeted attacks,” says Greg Walton, a SecDev Fellow at the Citizen Lab who researched the attacks.
However, this time attackers also used cloud-based websites to make it harder to shut down their botnet’s command-and-control infrastructure. Ron Deibert, director of the Citizen Lab, said in a press conference that the way that attackers use social media sites to shield their malicious activity reveals the “dark, hidden core” of cloud services.
After a computer was infected with malware, it would check in with the botnet for orders. Usually that would mean contacting a server controlled by the attackers. But in this case, infected computers were programmed to access social sites including Twitter, Baidu blogs, and Google Groups, where they were directed to the URL of a control server. Using the social sites allowed attackers to move their operations whenever part of their infrastructure was shut down, explained Nart Villeneuve, who is a senior SecDev research fellow at Citizen Lab, at the press conference. It also kept network administrators from becoming suspicious.
The attackers also made innovative use of Yahoo’s e-mail application programming interface, Villeneuve said. Their malware instructed infected computers to connect to attackers’ Yahoo mail accounts through this interface, then report on their name, operating system, and IP address. The attackers also used this connection to install additional malware on the computer, and to issue commands. Villeneuve says that this system served mainly as a backup for the attackers, in case the Web-based infrastructure was disabled.
Brett Stone-Gross, a researcher at the University of California, Santa Barbara, who studies botnets, says the report shows a shift in strategy for controlling botnets. Not only does it make it harder for administrators to see that traffic is going to the botnet, he says, but it also makes it harder for them to stop it. Administrators generally can’t blacklist a site such as Twitter or Google Groups without causing too much pain to legitimate users, he points out. Stone-Gross compares the practice to spammers’ use of legitimate Gmail, Yahoo, and Hotmail accounts, which have so much legitimate activity that organizations can’t block the domains to filter out malicious e-mail.
Deibert added at the press conference that, while the research suggests that the hackers behind the attacks are based in China, there isn’t hard evidence that the Chinese government was involved. “We’re eager to work with those parts of the Chinese government that want to solve this,” he said, adding that they’ve been cooperating with China’s Computer Emergency Readiness Team (CERT).
However, Deibert criticized the governments hoping to engage in cyber espionage and warfare. “There is a very real arms race in cyberspace, of which this report is but one small example,” he said. The researchers expect that some of the information stolen by the botnet will make it to the Chinese government through some channel, even if the government did not order the attacks.